From skills-janitor
Heuristic security scan of installed skills to detect prompt-injection, hidden unicode instructions, credential access, and payload smuggling. Run via '/janitor-security'.
How this skill is triggered — by the user, by Claude, or both
Slash command
/skills-janitor:janitor-security [--path <dir>] [--json][--path <dir>] [--json]This skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Heuristic scan of skill content for prompt-injection and malicious patterns.
Heuristic scan of skill content for prompt-injection and malicious patterns.
A skill is text your agent trusts: its SKILL.md is read as instructions and its scripts run on your machine. Public research (Snyk's ToxicSkills, 2026) found prompt injection in roughly a third of tested community skills. This scan flags the known bad shapes across every installed skill, in every scope (user, project, codex, plugin):
curl … | bash), decode-and-execute, credential-store access (~/.ssh, ~/.aws, keychain), URL shorteners, plain-HTTP calls, uploads of variable dataFindings are heuristics, not proof: a RISK verdict means "read this before trusting it". Legit tools trip these rules too (e.g. an installer that pipes curl into bash) — the point is that YOU see it and decide.
scripts/security.sh)bash ~/.claude/skills/skills-janitor/scripts/security.sh # all installed skills
bash ~/.claude/skills/skills-janitor/scripts/security.sh --json # machine-readable
bash ~/.claude/skills/skills-janitor/scripts/security.sh --path ~/some/skill-dir # one directory
Per-skill verdict: RISK (any HIGH finding), REVIEW (any MEDIUM), PASS. For each flagged skill show the finding titles, the file, and the evidence snippet. Do NOT call a finding "malware" — describe what the pattern does and let the user judge intent (e.g. "media-use pipes a HeyGen installer from the network into bash — a common install pattern, but verify the URL before trusting it").
/janitor-swipe or delete it outright/janitor-discover <url> runs this same scan pre-installSummary line (Scanned: N | RISK: x | REVIEW: y | PASS: z) followed by flagged skills, each with severity-tagged findings, the file, and an evidence snippet. --json emits the full structured report.
Error: security.sh: No such file or directory
Solution: The plugin is installed under a different root — locate it with ls ~/.claude/skills or check the plugin cache.
Error: Everything shows PASS but the user expected a finding Solution: The scan covers markdown and script files up to 1MB, 200 files per skill; binaries and huge files are skipped. Check the specific file manually.
Error: A trusted skill shows RISK Solution: Expected for tools that legitimately use flagged patterns (installers, credential helpers). Read the evidence line — if it matches the tool's documented purpose, note it and move on. Verdicts are advisory; nothing is deleted.
Input: "Are my skills safe? Check for prompt injection."
Output: Run the scan, lead with the summary ("178 scanned, 2 RISK, 0 REVIEW"), then explain each flagged skill in plain language with its evidence, and close with a recommendation per skill.
Input: "Scan ~/Downloads/cool-skill before I install it."
Output: Run with --path ~/Downloads/cool-skill and present the verdict; suggest /janitor-discover for the overlap check too.
{baseDir}/../../scripts/security.sh/janitor-discover <url> — pre-install check (overlap + this security scan on the fetched SKILL.md)/janitor-report — general health check (errors, duplicates, broken skills)/janitor-swipe — delete what you don't trustnpx claudepluginhub khendzel/skills-janitor --plugin skills-janitorScans agent skills for prompt injection, malicious code, excessive permissions, secret exposure, and supply chain risks before adoption.
Scans agent skills for security risks including prompt injection, malicious scripts, excessive permissions, secret exposure, and supply chain issues. Runs static analysis via a bundled Python script.
Scans AgentSkill packages for credential theft, code injection, prompt manipulation, data exfiltration, and evasion techniques. Use when evaluating skills from ClawHub or any untrusted source.